b'                     U.S. DEPARTMENT OF LABOR\n\n                    Office of Inspector General\n\n\n\n\n            EFAST General Controls Need Strengthening\n\n\n\n\n                                          U.S. Department of Labor\n                                          Office of Inspector General\n                                          Report No. 09-01-001-12-001\n\n\nU.S. Department of Labor - Office of Inspector General\n\x0c                                                             Date:\n                                                 TABLE OF CONTENTS\n\n\n\nEXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nINTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\nOBJECTIVE, SCOPE, AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\n\nFINDINGS AND RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n\n          1. The EFAST Risk Assessment Implementation and Testing\n             Need Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8\n\n          2. The EFAST Continuity of Operations Plan Needs\n             to be Improved and Tested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n\n          3. NCS Management Needs to Strengthen Information\n             Security Officer Position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18\n\nAPPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22\n\n               PWBA Comments on Draft Report\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\x0c                                  ACRONYMS\n\n\n\n     COOP        Continuity of Operations Plan\n\n     DOL         Department of Labor\n\n     ECP         Engineering Change Proposal\n\n     EFAST       ERISA Filing Acceptance System\n\n     ERISA             Employee Retirement Income Security Act of 1974\n\n     FISCAM      Federal Information System Controls Audit Manual\n\n     GAO         General Accounting Office\n\n     IRS         Internal Revenue Service\n\n     ISO         Information Security Officer\n\n     NCS         National Computer Systems, Inc.\n\n     NIST        National Institute of Standards and Technology\n\n     OIG         Office of Inspector General\n\n     OMB         Office of Management and Budget\n\n     PBGC        Pension Benefit Guaranty Corporation\n\n     PWBA              Pension and Welfare Benefits Administration\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\x0c                                  EXECUTIVE SUMMARY\n\n\nThe Office of Inspector General conducted an audit of the general controls over the\nPension and Welfare Benefits Administration\xe2\x80\x99s (PWBA) Electronic Filing Acceptance\nSystem (EFAST). Our primary objective was to determine if the EFAST has adequate and\neffective general controls to protect filings and prevent unauthorized disclosure or\nmodification of sensitive data, or disruption or denial of critical services.\n\nOverall, we concluded that PWBA management has devoted substantial resources and\nmade significant progress in developing the necessary security plans, performing risk\nassessments and security reviews, and coordinating complex security requirements between\nthe Internal Revenue Service (IRS) and its contractor, National Computer Systems,\nInc.(NCS). However, PWBA management needs to take additional action to improve the\nsecurity of the EFAST. Specifically, PWBA management needs to ensure that NCS\nmanagement (1) improves the EFAST\xe2\x80\x99s Risk Assessment implementation and testing, (2)\nfully develops and implements the Continuity of Operations Plan (COOP), and (3)\nstrengthens the Information Security Officer (ISO) position.\n\nThe EFAST Risk Assessment Implementation and Testing Need Improvement\n\nPWBA management needs to improve the EFAST\xe2\x80\x99s Risk Assessment implementation and\ntesting. Specifically, (1) the EFAST Risk Assessment does not cover unprocessed filings,\n(2) many of the controls planned were not implemented, and (3) some of those\nimplemented were never tested. As a result, the EFAST is operating at a risk level that is\nabove the maximum acceptable level established by PWBA.\n\nThe EFAST COOP Needs to be Improved and Tested\n\nPWBA management needs to require NCS to more fully develop and implement the\nEFAST COOP. This occurred because PWBA and NCS management have devoted most\nof their resources to getting the system operational and have not focused on the COOP.\nAs a result, while the EFAST is operational, it is highly vulnerable to disruptions, disasters,\nand loss of original unprocessed Form 5500 Series filings.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                               1\n\x0cNCS Management Needs to Strengthen ISO Position\n\nNCS management needs to strengthen its ISO position. NCS management has not\nprovided the necessary job description, training, or written procedures to the ISO. NCS\nmanagement has devoted its attention to implementing the EFAST and only recently hired\nan onsite ISO. As a result, the ISO is not aware of security problems and is not adequately\ninvolved in security issues.\n\nIn conducting our audit, we used the General Accounting Office\xe2\x80\x99s (GAO) Federal\nInformation System Controls Audit Manual (FISCAM). We conducted interviews and\ntests both at PWBA headquarters and its contractor locations in Kansas and Virginia. Our\naudit was performed between September 12, 2000, and January 10, 2001, and was\nconducted in accordance with Government Auditing Standards.\n\nWe recommend that the Assistant Secretary for Pension and Welfare Benefits improve and\ntest the EFAST Risk Assessment, fully implement the COOP, and ensure that NCS\nimproves its ISO position.\n\nSummary of PWBA Response\n\nIn response to the draft report, PWBA generally concurred with the findings and\nrecommendations. PWBA had already requested and received an engineering change\nproposal (ECP) from NCS that addressed many of the OIG\xe2\x80\x99s findings and\nrecommendations. PWBA pointed out, however, that there is an administrative process\nwhich must be followed to make these changes. Any contract modifications would have to\nbe negotiated by the Department\xe2\x80\x99s procurement staff, and the time frames for these actions\nwere not within PWBA\xe2\x80\x99s control.\n\nPWBA additionally stated that the agency had already taken significant action towards\ncorrecting the shortcomings detected by the OIG audit and has had regular discussions\nwith NCS on these issues. For example, PWBA conducted a security retest of the EFAST\nfacility that addressed many of the OIG\xe2\x80\x99s findings and recommendations regarding security\ncontrols that were either not tested or never implemented. PWBA also stated it was on\ntrack to overhaul and test the Continuity of Operations Plan (COOP) in response to the\nOIG\xe2\x80\x99s finding that the COOP was not fully developed, implemented, or tested.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                             2\n\x0cPWBA\xe2\x80\x99s response to the draft report in its entirety is attached to this report as Appendix\nA.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                             3\n\x0c                                    INTRODUCTION\n\n\nBackground\n\nThe Employee Retirement Income Security Act of 1974 (ERISA), and provisions of the\nInternal Revenue Code, assigned responsibility for regulating employee benefit plans to\nthree Federal agencies: the Department of Labor (DOL); the IRS; and the Pension Benefit\nGuaranty Corporation (PBGC). Within the DOL, PWBA has responsibility for oversight\nof employee benefit plans.\n\nTo meet their oversight responsibilities, all three agencies use information provided by\nemployee benefit plans in their annual reports. These annual reports use the Form 5500\nSeries for providing the necessary information. Until 2000, plans filed the annual reports\nwith the IRS. In August 2000, PWBA set up a new processing system for the Form 5500\nSeries called the EFAST.\n\nThe purpose of the EFAST is to process the paper and electronic Form 5500 Series filings\ninto computer-readable format and provide PWBA, IRS, PBGC, and the Social Security\nAdministration with comprehensive, accurate, and timely data.\n\nTo meet this purpose, in 1997 DOL\nissued a Request for Proposals for the\ndevelopment and operation of the\nEFAST to replace the IRS process. In\nSeptember 1998, DOL awarded a\ncontract to NCS to develop the\nEFAST system. In August 2000, the\nEFAST started processing Form 5500\nSeries filings.\n\nThe primary EFAST facility, shown on\nthe right, is located in Lawrence,\nKansas. Software development by a\nsubcontractor is being done in Reston,\nVirginia.\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                             4\n\x0cPWBA management expects the EFAST to handle approximately 1.5 million Form 5500\nSeries returns filed annually by plan administrators and sponsors. Plan administrators file\nmost of these returns on paper, although PWBA management expects the percentage of\nfilings filed electronically to grow.\n\nPrincipal Criteria\n\nThe principal criteria we used in our audit included:\n\n       C   OMB Circular A-130: Management of Federal Information Resources.\n\n       C   NIST Special Publication 800-12: An Introduction to Computer Security: The\n           NIST Handbook.\n\n       C   NIST Special Publication 800-14: Generally Accepted Principles and Practices\n           for Securing Information Technology Systems.\n\n       C   NIST Special Publication 800-18: Guideline for Developing Security Plans for\n           Information Technology Systems.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                              5\n\x0c                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nOur audit objective was to determine if the EFAST has adequate and effective general\ncontrols. These general controls include management, operational, and technical\ncomputer security controls in place to prevent unauthorized disclosure or modification of\nsensitive data, or disruption or denial of critical services.\n\nScope\n\nWe designed this audit to assess the effectiveness of general controls in the EFAST. We\nidentified, evaluated, and tested the general controls required to protect sensitive data\nfrom the many threats that exist. These threats include, but are not limited to, fraud and\nabuse, data entry errors, cyber-attacks, natural disasters, utility disruptions, and espionage.\n\nSpecifically, we evaluated controls intended to:\n\n   \xe2\x80\xa2 protect data, files, and programs from unauthorized access;\n\n   \xe2\x80\xa2 prevent unauthorized changes to systems and applications software;\n\n   \xe2\x80\xa2 provide segregation of duties between applications and systems programmers,\n     computer operators, security administrators, and other data center personnel;\n\n   \xe2\x80\xa2 ensure recovery of computer processing operations in case of a disaster or other\n     unexpected interruption; and\n\n   \xe2\x80\xa2 ensure adequate computer security administration.\n\nWe performed our work according to Government Auditing Standards issued by the\nComptroller General of the United States. Our audit included such tests of policies and\nprocedures and other auditing procedures we considered necessary in the circumstances.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                               6\n\x0cMethodology\n\nThis audit applied the methodology outlined and described in GAO\xe2\x80\x99s FISCAM. This\nmanual provides guidance and recommendations to test general controls in both General\nSupport Systems and Major Application Systems.\n\nDuring the audit, we visited PWBA\xe2\x80\x99s headquarters and the NCS operated EFAST facility\nin Lawrence, Kansas. We also visited Logicon, the software developer, offices in Reston,\nVirginia. We interviewed PWBA EFAST officials as well as NCS and Logicon personnel.\n\nTo evaluate the controls, we identified and reviewed PWBA\xe2\x80\x99s and NSC\xe2\x80\x99s general control\npolicies and procedures. Through this review and discussions with PWBA and NSC staff,\nincluding programming, operations, and security personnel, we learned how the general\ncontrols were designed to work and the extent data center personnel considered them in\nplace. We also reviewed PWBA\xe2\x80\x99s and NSC\xe2\x80\x99s systems and security software installation and\nuse.\n\nFurther, we tested and observed the operation of general controls over the EFAST to\ndetermine whether they were in place, adequately designed, and operating effectively. Our\ntests included attempts to obtain access to sensitive data and programs, which we\nperformed with the knowledge and cooperation of PWBA and NSC officials.\n\nWe held an entrance conference on September 12, 2000, and completed our fieldwork on\nJanuary 10, 2001. We held an exit conference with PWBA headquarters on February 14,\n2001. At that meeting, we discussed our findings and recommendations.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                            7\n\x0c                    FINDINGS AND RECOMMENDATIONS\n\nPWBA and NCS management have devoted large amounts of resources to the EFAST\nsecurity and have given overall system security a high priority in system development.\nHowever, additional actions are needed to ensure that the EFAST security meets\nminimum requirements for reducing risk to an acceptable level for operations. Specifically,\nPWBA management needs to ensure the EFAST Risk Assessment is fully implemented\nand tested, the COOP is more fully developed and tested, and that NCS management\nstrengthen its ISO position to reduce the EFAST\xe2\x80\x99s vulnerability.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                             8\n\x0c1. The EFAST Risk Assessment Implementation and Testing Need Improvement\n\nPWBA management needs to improve the EFAST\xe2\x80\x99s Risk Assessment implementation and\ntesting. Specifically, (1) the EFAST Risk Assessment does not cover unprocessed filings,\n(2) many of the controls planned were never implemented, and (3) some of those\nimplemented were never tested. PWBA management oversight emphasized getting the\nsystem operational and did not ensure NCS management fully complied with the EFAST\nRisk Assessment. Also, the EFAST Security Plan NCS officials developed set the sensitivity\nlevel too low which contributed to the problem. As a result, the EFAST is operating at a\nrisk level that exceeds the maximum risk acceptable under the PWBA contract.\n\nRisk Assessment Requirements\n\nOMB Circular A-130 establishes that certain Federal information systems require special\nattention to security due to the importance of the system to an agency\xe2\x80\x99s mission. The\nCircular defines these systems as \xe2\x80\x9cmajor applications\xe2\x80\x9d and requires that these systems be\nconsidered \xe2\x80\x9chigh risk\xe2\x80\x9d due to their importance. This \xe2\x80\x9chigh risk\xe2\x80\x9d assignment then provides\nthe basis for a security plan and risk assessment. PWBA management has designated the\nEFAST a \xe2\x80\x9cmajor application.\xe2\x80\x9d\n\nThe risk assessments the Circular requires Federal agencies to develop are to identify\nthreats, vulnerabilities, and the effectiveness of current or proposed safeguards. The\nCircular further requires these safeguards to be tested to determine if they are operational.\n\nThe contract PWBA awarded to NCS required NCS management to develop a security\nplan and a risk assessment and to test the controls.\n\nEFAST Risk Assessment Needs Improvement\n\nPWBA management emphasized getting the system operational and did not ensure NCS\nmanagement fully implemented the controls identified in the EFAST Risk Assessment or\ntested the controls to confirm they were operational.\n\nContributing to both the development and testing issues of the EFAST Risk Assessment\nwas that the EFAST Security Plan identified the EFAST as a major application but only\nassigned a \xe2\x80\x9cmedium\xe2\x80\x9d level of risk to the system. This contradicts OMB Circular A-130\nwhich requires major applications such as the EFAST to be considered \xe2\x80\x9chigh risk.\xe2\x80\x9d\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                              9\n\x0cSecurity Controls Not Implemented - The EFAST requires confidentiality because it\nprocesses sensitive tax data. It also requires integrity and reliability because of the reliance\nPWBA, PBGC, and the IRS place on the system for providing information critical to each\nagency\xe2\x80\x99s mission. The EFAST Risk Assessment completed by NCS identified 261 separate\ncontrols which were to be built into the EFAST to minimize risk and help ensure\nconfidentiality, integrity, and reliability.\n\nHowever, PWBA management did not ensure NCS management implemented all controls\nidentified. These controls are among those selected in the EFAST Risk Assessment as a\nminimum level of control necessary to provide an acceptable level of risk to the EFAST.\nSince some of these controls have not been implemented, the EFAST is operating below\nthe minimum level of control PWBA management determined to be acceptable.\n\nExamples of controls not implemented follow:\n\n   \xe2\x80\xa2 The EFAST Risk Assessment included\n     installing a water drain as a protection\n     against water damage. However,\n     PWBA management did not ensure\n     NCS personnel installed a water drain or\n     other water protection, in either the\n     computer room or the warehouse where\n     the unprocessed Form 5500 Series\n     filings are kept. Both areas contain a\n     sprinkler system which could develop\n     leaks and allow water into the areas\n     causing damage. As shown in the\n     picture to the right, the warehouse is\n     used to store over a million unprocessed\n     Form 5500 Series filings. These paper\n     filings are easily subject to water damage\n     if the presence of water is not detected.\n\n   \xe2\x80\xa2 The EFAST Risk Assessment states that\n     any media to be reused will be\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                               10\n\x0c     degaussed or overwritten. This procedure would protect the confidentiality and\n     integrity of data.\n   \xe2\x80\xa2 The EFAST Risk Assessment states that a management control will be established\n     to ensure that all changes to the EFAST hardware or software that could in any way\n     lessen security will be reviewed and approved by the ISO. This control would help\n     ensure security continuity.\n\n   \xe2\x80\xa2 The EFAST Risk Assessment states that all changes to the EFAST software will be\n     reviewed and approved by management. However, the EFAST Program Manager,\n     who has approval authority, is not documenting this approval on the required\n     forms.\n\nControls Not Tested - In addition to some controls not being implemented, we found that\nNCS officials did not test many controls identified in the EFAST Risk Assessment. While\nthe EFAST Risk Assessment identified 261 separate controls that NCS officials would use\nin the EFAST, NCS officials actually tested 222. The remaining 39 controls were not\ntested. The EFAST Risk Assessment included these 39 controls as comprising the\nminimum acceptable level of control.\n\nExamples of controls not tested include:\n\n   \xe2\x80\xa2 Procedures to ensure NCS management maintains accountability records for keys to\n     the EFAST area doors.\n\n   \xe2\x80\xa2 Procedures to ensure NCS management maintains remote terminal identifiers for\n     remote terminals used to access the EFAST in a protected file.\n\n   \xe2\x80\xa2 Procedures that require remote terminals used to access sensitive information be\n     protected with physical and technical security controls. At any one time, EFAST\n     has more than 50 programmers, including subcontractors, with remote access to the\n     system from outside locations.\n\nOverall, NCS management did not test a significant amount (39 of 261) of the controls\nidentified as the minimum acceptable level of control in the EFAST Risk Assessment and\nneither PWBA nor NCS management has any assurances that these controls exist and are\nfunctioning.\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                           11\n\x0cU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                     12\n\x0cConclusion\n\nPWBA management did not ensure NCS fully implemented and tested the controls the\nEFAST Risk Assessment identified as the minimum necessary as acceptable for the\nEFAST.\n\nPWBA management did, however, authorize the EFAST to start processing.\nAuthorization implies PWBA management is accepting the risk in the entire application,\nalthough to this date, the EFAST Risk Assessment is incomplete and cannot ensure that\nthe EFAST is achieving an acceptable level of risk for processing Form 5500 Series\nsensitive data. This condition exposes sensitive confidential tax information to\nunauthorized disclosure, possible litigation risks, and loss.\n\nRecommendations\n\nWe recommend the Acting Assistant Secretary for Pension and Welfare Benefits:\n\na. Revise the Security Plan to reflect higher risk and determine if any changes are\n   necessary to the EFAST Risk Assessment to reflect the higher risk recognized.\n\nb. Require NCS management to implement and test each control included as a minimum\n   for acceptable processing.\n\nPWBA\xe2\x80\x99s Comments on Draft Report\n\nIn its response to the draft report PWBA stated:\n\n       PWBA generally concurs with the OIG\xe2\x80\x99s findings and recommendations\n       regarding the EFAST security plan and risk assessment. PWBA plans to\n       address these shortcomings through a combination of efforts including: revising\n       the security plan and developing a risk mitigation plan to verify the applicability\n       of all security controls, fully implementing the applicable security controls, and\n       ensuring that all security controls established for EFAST are adequately tested.\n\nPWBA concurred with each recommendation and stated:\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                               13\n\x0c      PWBA is scheduled to update the Computer Security Plan by late June 2001\n      which will designate EFAST as a high risk application. PWBA does not\n      believe that any changes are necessary to the EFAST Risk Assessment to reflect\n      the higher risk recognized because the EFAST Risk Assessment incorporated\n      the C2 level security requirements which were determined to be appropriate.\n      However, as stated above, PWBA will develop a Risk Mitigation Plan to address\n      the OIG\xe2\x80\x99s overriding concern that risk mitigation measures be instituted to\n      address security controls that have not been tested or implemented.\n\n      PWBA also pointed out some wording in the draft report which could be confusing or\n      misleading.\n\nOIG Evaluation of PWBA Comments\n\nWe made changes to the wording in the draft report as PWBA suggested.\n\nPWBA responses are sufficient to resolve the recommendations. The recommendations\nwill be closed when the corrective actions are complete.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                           14\n\x0c2. The EFAST COOP Needs to be Improved and Tested\n\nPWBA management has not ensured NCS management fully developed or implemented\nthe EFAST COOP. This is because PWBA and NCS management have devoted most of\ntheir resources to getting the EFAST operational. As a result, while the EFAST is\noperational, it is operating with high vulnerability to disruptions, disasters, and loss of\noriginal unprocessed Form 5500 Series filings.\n\nCOOP Requirements\n\nOMB Circular A-130 specifically requires each government entity\xe2\x80\x99s major application to\nhave a COOP. The Circular states that a COOP should include system backup policy and\nprocedures and one or more recovery strategies to cover partial loss of equipment or service\ndue to disasters.\n\nAlso, OMB Circular A-130 and NIST Special Publication 800-14 require testing of the\nCOOP. Specifically, NIST Publication 800-14 Section 3.6.5 states that an organization\nneeds to test its COOP because there will undoubtedly be flaws in the COOP.\n\nAs required by the contract with PWBA, NCS management prepared a COOP which\nPWBA management accepted on June 15, 2000. The COOP calls for recovery of any\ndisruption within 30 days. It analyzes the risks of operational disruption and describes the\ncontrols and actions necessary to reduce such disruption.\n\nCOOP Needs Improvement\n\nPWBA management, however, has not ensured that NCS management (1) developed the\nCOOP to cover unprocessed filings, or (2) implemented all the controls and support actions\ndescribed in the COOP. Several vulnerabilities exist that could affect the EFAST processing\nand delay restoring service in case of disaster. The following sections discuss several\nvulnerabilities.\n\nWater Danger to Filings Not Covered - The EFAST COOP deals with two potential water\nproblems--natural flood and water supply leaks. The initial response and action procedures\ncover protecting the computer equipment. These procedures do not cover protecting the\nunprocessed filings. The filings are stored next to the EAST processing area. Water\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                              15\n\x0csprinklers and pipes are directly above the uncovered filing storage bins as shown in the\nphotograph on page 9.\n\nNCS officials do have protective plastic sheets to cover the filings to protect them from\nwater damage. However, the plastic sheets were locked in a file cabinet. The sheets\nconsisted of four small rolls of clear plastic that appeared to cover approximately 200 square\nfeet. These rolls would not cover even a small fraction of the filings.\n\nData Backups Not Performed - The COOP requires that the EFAST databases be backed\nup daily. This, however, is not being done. According to the daily backup log, NCS officials\ndid not do any backups from the time the EFAST processing started on July 1, 2000, until\nOctober 18, 2000. During this time, NCS management processed more than 164,000 filings\nand schedules without any backup. Additionally, according to the backup log, NCS officials\ndid not perform backups on 13 of the 29 work days from October 18, 2000, through\nNovember 27, 2000.\n\nEmergency Procedures Do Not Cover Filings - Neither the COOP nor NCS\xe2\x80\x99 emergency\nprocedure manual includes procedures for protecting or recovering actual Form 5500 Series\nfilings. The emergency procedures in both documents include detailed steps to follow in\nevacuating the building in case of fire, tornado, or evacuation drill. The documents also\ncover steps to take to protect the system hardware and software. However, the documents\ndo not have procedures to guide personnel to protect the paper filings that await processing\nin case of a water leak or any other emergency. If an emergency or disaster were to occur,\nthe actual paper Form 5500 Series filings may be subject to loss or destruction.\n\nAlternate Processing Site Not Implemented - The COOP, as required, specifies an alternate\nprocessing site in the event a disaster damages the EFAST facility. The COOP specifies a\nparticular company to provide back-up facilities and details on how that company will make\nfacilities available. However, NCS management has not executed a contract with this\ncompany or even confirmed that the company is still available for back-up protection. As a\nresult, NCS management does not have assurances that, if the EFAST facility became\ninoperable, there would be any back-up facility at all or when one could be provided.\n\nCOOP Not Tested as Required - The EFAST COOP states that NCS will test the COOP.\nHowever, NCS management did not test the COOP as part of the overall system testing and\nNCS management does not plan to perform testing at all. EFAST has been operating since\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                             16\n\x0cJuly 1, 2000. We believe that the COOP should have been tested as part of the overall\nsystem testing. As a minimum, NCS management should have plans as to when and how\ntesting will be performed. Without testing, NCS management does not have assurances that\ntheir planned recovery procedures will be effective.\n\nConclusion\n\nWe concluded that the COOP needs to be improved and tested to be effective. This is\nnecessary to ensure that NCS personnel can quickly and appropriately respond to\nemergencies and that the EFAST and its data will be adequately protected. This is\nparticularly true for two reasons. First, the EFAST provides necessary information for three\ndifferent agencies; PWBA, IRS and PBGC. It also provides some information to the Social\nSecurity Administration. Therefore, although PWBA operates the EFAST, it must be\nresponsive to the needs of the other agencies. Secondly, in the near future the EFAST will\nbe providing on-line capability to PWBA, PBGC and IRS with over 300 direct users\nplanned. As on-line usage increases, the reliability of the system becomes more critical.\nTherefore, PWBA management needs to take action to improve the EFAST contingency\nplanning.\n\nRecommendations\n\nWe recommend that the Acting Assistant Secretary for Pension and Welfare Benefits\nrequire NCS management to:\n\na. Revise the COOP to specifically provide for damage to the paper Form 5500 Series\n   filings.\n\nb. Implement all procedures and controls identified in the COOP, including but not limited\n   to, alternate site selection and data backup.\n\nc. Test the COOP and determine its effectiveness.\n\nPWBA\xe2\x80\x99s Comments on Draft Report\n\nPWBA concurred with this finding and stated:\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                            17\n\x0c      PWBA concurs with the OIG\xe2\x80\x99s findings that the COOP has not been fully\n      developed, implemented, or tested. PWBA plans to address these shortcomings\n      by updating the COOP, following through to ensure that all COOP controls are\n      implemented, and fully testing the COOP.\n\n      As a point of clarification, PWBA would like to point out an inconsistency in the\n      wording in the draft audit report which might be confusing or misleading\n      regarding the COOP. The Executive Summary states on page 1 that \xe2\x80\x9cthe\n      EFAST COOP needs to be developed and implemented.\xe2\x80\x9d PWBA believes this\n      statement is somewhat misleading because it implies that a COOP was not\n      developed and implemented, when it was. However, in the summary of Findings\n      and Recommendations, the report specifies on page 12, 1st bullet, that \xe2\x80\x9cPWBA\n      management has not ensured NCS management fully developed or implemented\n      the COOP.\xe2\x80\x9d\n\nRegarding the specific recommendations, PWBA concurred and stated:\n\n      PWBA has requested and received an ECP from NCS which covers, among\n      other things, the upgrading of the EFAST facility to protect against sprinkler\n      mishap. We are acutely aware of the need to protect unprocessed paper filings\n      from water damage arising from sprinkler mishap. To address this potential\n      hazard, the ECP contains several important enhancements to the water sprinkler\n      system. Specifically, NCS proposes to upgrade the sprinkler system to a pre-\n      action valve, wet system in the EFAST production area and warehouse to better\n      protect the EFAST 5500 forms. In the interim period prior to implementing the\n      provisions of the ECP, NCS has secured and put in place sufficient plastic\n      sheeting to cover the filings to protect them from water damage.\n\n      . . . . NCS is scheduled to update and deliver a new version of the COOP to\n      PWBA by late June 2001. This is a regularly scheduled update to the COOP that\n      is called for in the EFAST contract. PWBA intends to notify NCS of all\n      remaining COOP shortcomings identified by the OIG and will insist that all\n      deficiencies are remedied in the new version of the COOP, and that the\n      procedures and controls are in place, such as alternate site selection and data\n      backup. This action will specifically address the OIG\xe2\x80\x99s findings concerning: 1)\n      data backups not performed, 2) emergency procedures do not cover filings, and\n      3) alternate processing site not implemented.\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                             18\n\x0c     . . . . PWBA intends to strictly enforce all contractual provisions regarding the\n     COOP, such as the requirement to test the COOP per OMB Circular A-130 and\n     NIST Special Publication 800-14. Upon delivery of the final COOP in late June\n     2001, PWBA will follow-up with NCS to ensure that all procedures and controls\n     identified in the COOP are implemented.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                            19\n\x0cOIG Evaluation of PWBA Comments\n\nPWBA\xe2\x80\x99s concurrence is sufficient to resolve the recommendations and they will be closed\nwhen the COOP is updated, implemented and tested. In addition, we have made changes\nto the final report to clarify that PWBA had required that a COOP be developed.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                           20\n\x0c3. NCS Management Needs to Strengthen ISO Position\n\nNCS management needs to strengthen its ISO position. NCS officials have not provided the\nnecessary job description or training to the ISO. Nor does NCS have written security\nprocedures.\n\nOMB Circular A-130, Appendix III states that sound and effective information security\nmanagement requires that a management official be assigned responsibility for security of\nthe data and system. This management official needs to be knowledgeable (1) about the\ninformation and process supported by the application and (2) in the management,\npersonnel, operational, and technical controls used to protect it. The Circular states that\nthis official shall ensure that effective security products and techniques are appropriately\nused in the application. This official is to be contacted when a security incident occurs.\n\nMoreover, NIST Special Publication 800-14 Section 2.5 states that the responsibilities and\naccountability of owners, providers, and users of IT systems and other parties concerned\nwith the security of IT systems should be explicit.\n\nISO Position Needs Strengthening\n\nNCS management has designated the ISO position to be responsible for the EFAST\nsecurity. However, the ISO does not have the necessary management tools to accomplish\nthe ISO duties most effectively. Specifically, NCS management has not developed a job\ndescription to establish ISO responsibilities clearly, provided sufficient ISO training, or\nwritten security review procedures.\n\nNo Job Description - NCS management has not developed a job description for the EFAST\nISO. This is a basic management tool needed to ensure that the ISO, the ISO\xe2\x80\x99s supervisors\nand other NCS and PWBA personnel understand the ISO mission, functions, and\nresponsibilities. An ISO job description would be an integral part of explicitly defining the\nISO responsibilities.\n\nAlso, without a job description, NCS management has not provided the ISO sufficient\nauthority to accomplish the ISO duties and responsibilities. While the ISO is charged with\nmaintaining the EFAST integrity and security, the ISO has only limited access to the\nEFAST and cannot directly monitor computer security activity. For example, the ISO does\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                              21\n\x0cnot have a computer terminal that accesses the EFAST. The ISO must use another\nemployee\xe2\x80\x99s terminal to do this. Also, the ISO does not have sufficient system authority to\nreview the on-line EFAST security log. This log is readily accessible to other EFAST\nemployees. The ISO relies on obtaining a printed copy of the EFAST security log each\nweek from the system administrator.\n\nTraining is Needed - NCS management has not provided sufficient training to the ISO\nposition. We reviewed the ISO\xe2\x80\x99s personnel file and found that the only training NCS\nmanagement provided was a one-week security training course. While the current ISO is\nhighly qualified in IT systems technology, job specific training is necessary to ensure that the\nISO effectively manages security.\n\nNo Written Security Procedures - NCS does not have written security procedures. Such\nprocedures are needed for the ISO to follow or to inform NCS management how the\nsecurity program will function. NCS management does not have any specific procedures for\ndetermining the frequency of security reviews or how the ISO will perform the reviews.\nOther than day-to-day contact with the ISO, NCS management has no method to determine\nhow the ISO position will function in the EFAST environment.\n\nThese weaknesses in security management have allowed specific security problems to occur,\nas discussed below.\n\n   \xe2\x80\xa2 During our visit to the EFAST facility, we could enter the EFAST restricted area\n     without badges or authorization through an unlocked back door. Subsequently, NCS\n     officials discovered two other unlocked doors that were supposed to be locked. All\n     three doors had faulty locks. NCS management had not clearly identified the\n     responsibility for ensuring these doors were locked.\n\n   \xe2\x80\xa2 The electronic filing firewall was disabled without the ISO\xe2\x80\x99s knowledge. The EFAST\n     accepted more than 15,000 filings without benefit of a working firewall. When NCS\n     brought the EFAST online, the system would not work with its existing firewall. NCS\n     and PWBA officials decided to disable the firewall and accept the electronic filings\n     without the protection. They made this decision without the involvement of or input\n     from the ISO who is responsible for overall EFAST security.\n\n   \xe2\x80\xa2 The ISO reviews the EFAST computer security log weekly, not daily as required by\n     NIST Special Publication 800-14. The EFAST ISO, however, does not have\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                              22\n\x0c       sufficient system access to do this. In fact, as previously noted, the ISO does not\n       have a direct access to the system online. Instead, the ISO relies on the system\n       administrator to furnish a printed log each week.\n\nConclusion\n\nNCS management needs to improve security management to prevent these types of\nincidents from occurring. Effective security management requires developing an ISO job\ndescription, providing additional ISO security training, and developing written security\nprocedures.\n\nRecommendations\n\nWe recommend that the Acting Assistant Secretary for Pension and Welfare Benefits\nrequire NCS management to:\n\na. Develop a comprehensive written job description for the ISO, including delegating\n   appropriate authority.\n\nb. Provide additional security training to the ISO.\n\nc. Develop written procedures that detail the ISO\xe2\x80\x99s procedures to ensure that NCS\n   management (1) maintains proper EFAST security, including physical security, and (2)\n   consults or informs the ISO regarding all EFAST security changes.\n\n\nPWBA\xe2\x80\x99s Comments on Draft Report\n\nPWBA concurred with this finding and stated :\n\n       PWBA concurs with the OIG\xe2\x80\x99s findings and recommendations regarding\n       strengthening the ISO position. PWBA plans to address these shortcomings\n       through the ECP described above, which, among other things, will bolster the\n       position and update and maintain the \xe2\x80\x9cEFAST Security Procedures Manual.\xe2\x80\x9d\n\nPWBA clarified that it had required written security procedures for EAST. PWBA stated:\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                              23\n\x0c      A point of clarification is necessary regarding the OIG\xe2\x80\x99s finding that \xe2\x80\x9cNCS does\n      not have written security procedures.\xe2\x80\x9d As a condition of the EFAST security\n      certification process, PWBA directed that NCS develop written security\n      procedures that describe the duties and responsibilities of the ISO. NCS\n      subsequently developed a document entitled \xe2\x80\x9cEFAST Security Procedures\n      Manual\xe2\x80\x9d that describes the NCS security procedures. A draft, \xe2\x80\x9cworking\xe2\x80\x9d version\n      of this document was delivered to PWBA by NCS in February 2001--and it\n      addresses the majority of the OIG\xe2\x80\x99s concerns regarding the lack of written\n      security procedures. The document will continue to be updated and maintained\n      through the life of contract.\n\nOn the recommendations, PWBA stated the security-related ECP solicited from NCS included\nstrengthening the ISO position. The security ECP also covered the provision of additional\nsecurity training to the ISO. PWBA also stated that it would require NCS to continue to\ndevelop, update, and maintain security procedures to ensure that NCS management (1)\nmaintains proper security, including physical security, and (2) consults or informs the ISO\nregarding all security changes.\n\nPWBA anticipated these actions would be completed by the end of FY 2001.\n\nOIG Evaluation of PWBA Comments\n\nAt the time we completed out fieldwork in January 2001, NCS had not yet developed the\nEFAST written security procedures.\n\nHowever, we believe that these procedures, when finalized, in conjunction with other\nPWBA corrective actions, are sufficient to resolve the recommendations. The\nrecommendations will be closed when the security procedures are finalized and approved\nand the ECP process PWBA described is completed.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                            24\n\x0c                               APPENDIX A\n\n                 PWBA Comments on the Draft Report\n\n\n\n\nU.S. Department of Labor - Office of Inspector General\n\n\n\n\n                                      25\n\x0c'